AFRL-RI-RS-TR-201 4-021 


ANALYSIS  AND  DESIGN  OF  COMPLEX  NETWORK 
ENVIRONMENTS 


BRIGHAM  YOUNG  UNIVERSITY 

FEBRUARY  2014 

FINAL  TECHNICAL  REPORT 


APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED 


STINFO  COPY 


AIR  FORCE  RESEARCH  LABORATORY 
INFORMATION  DIRECTORATE 


■  AIR  FORCE  MATERIEL  COMMAND 


■  UNITED  STATES  AIR  FORCE 


■  ROME,  NY  13441 


NOTICE  AND  SIGNATURE  PAGE 


Using  Government  drawings,  specifications,  or  other  data  included  in  this  document  for  any  purpose 
other  than  Government  procurement  does  not  in  any  way  obligate  the  U.S.  Government.  The  fact  that 
the  Government  formulated  or  supplied  the  drawings,  specifications,  or  other  data  does  not  license  the 
holder  or  any  other  person  or  corporation;  or  convey  any  rights  or  permission  to  manufacture,  use,  or 
sell  any  patented  invention  that  may  relate  to  them. 

This  report  is  the  result  of  contracted  fundamental  research  deemed  exempt  from  public  affairs  security 
and  policy  review  in  accordance  with  SAF/AQR  memorandum  dated  10  Dec  08  and  AFRL/CA  policy 
clarification  memorandum  dated  16  Jan  09.  This  report  is  available  to  the  general  public,  including 
foreign  nationals.  Copies  may  be  obtained  from  the  Defense  Technical  Information  Center  (DTIC) 
(http://www.dtic.mil). 


AFRL-RI-RS-TR-20 1 4-02 1  HAS  BEEN  REVIEWED  AND  IS  APPROVED  FOR  PUBLICATION  IN 
ACCORDANCE  WITH  ASSIGNED  DISTRIBUTION  STATEMENT. 


FOR  THE  DIRECTOR: 


/  s  / 

ROBERT  KAMINSKI 
Work  Unit  Manager 


/  S  / 

WARREN  H.  DEBANY  JR. 
Technical  Advisor,  Information 
Exploitation  and  Operations  Division 
Information  Directorate 


This  report  is  published  in  the  interest  of  scientific  and  technical  information  exchange,  and  its 
publication  does  not  constitute  the  Government’s  approval  or  disapproval  of  its  ideas  or  findings. 


REPORT  DOCUMENTATION  PAGE 


Form  Approved 
OMB  No.  0704-0188 


The  public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information,  including 
suggestions  for  reducing  this  burden,  to  Department  of  Defense,  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports  (0704-0188),  1215  Jefferson  Davis  Highway, 
Suite  1204,  Arlington,  VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  any  penalty  for  failing  to  comply  with  a  collection  of 
information  if  it  does  not  display  a  currently  valid  OMB  control  number. 

PLEASE  DO  NOT  RETURN  YOUR  FORM  TO  THE  ABOVE  ADDRESS. 


2.  REPORT  TYPE 


1.  REPORT  DATE  (DD-MM-YYYY) 

FEB  2014 


4.  TITLE  AND  SUBTITLE 


FINAL  TECHNICAL  REPORT 


ANALYSIS  AND  DESIGN  OF  COMPLEX  NETWORK 
ENVIRONMENTS 


3.  DATES  COVERED  (From  -  To) 

AUG  2011  -  AUG  2013 


5a.  CONTRACT  NUMBER 

FA8750-1 1-1 -0236 


5b.  GRANT  NUMBER 


5c.  PROGRAM  ELEMENT  NUMBER 


6.  AUTHOR(S) 


SEAN  WARNICK,  DANIEL  ZAPPALA 


5d.  PROJECT  NUMBER 


UGOV 


5e.  TASK  NUMBER 


5f.  WORK  UNIT  NUMBER 


7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Brigham  Young  University 

Office  of  Research  &  Creative  Activities,  Department  of  Computer  Science 

University  Hill 

Provo,  UT  84602-1231 


9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 


PERFORMING  ORGANIZATION 
REPORT  NUMBER 


10.  SPONSOR/MONITOR'S  ACRONYM(S) 

AFRL/RI 


Air  Force  Research  Laboratory/RIG 
525  Brooks  Road  11  ■  sponsor/monitor’s  report  number 

Rome  NY  13441-4505 

AFRL-RI-RS-TR-201 4-021 


12.  DISTRIBUTION  AVAILABILITY  STATEMENT 

Approved  for  Public  Release;  Distribution  Unlimited.  This  report  is  the  result  of  contracted  fundamental  research  deemed 
exempt  from  public  affairs  security  and  policy  review  in  accordance  with  SAF/AQR  memorandum  dated  10  Dec  08  and 
AFRL/CA  policy  clarification  memorandum  dated  16  Jan  09. 


14.  ABSTRACT 

This  work  extends  previous  research  employing  1)  dynamical  structure  functions  as  a  new  modeling  tool  for  complex 
network  environments,  and  2)  the  network  design  cycle  as  a  mechanism  for  unifying  theoretical  and  applied  research.  In 
particular,  this  work  explores  a  specific  application  to  a  wireless  mesh  network  environment  and  extends  the  theoretical 
results  to  include  necessary  and  sufficient  informativity  conditions  for  network  reconstruction  from  input-output  data, 
vulnerability  analyses  of  both  open-loop  and  closed-loop  architectures,  and  the  synthesis  of  distributed  feedback 
controllers  with  arbitrary  network  structure  constraints. 


15.  SUBJECT  TERMS 

Complex  Networks,  Network  Design,  Wireless  Mesh  Networks,  Bio-chemical  Reaction  Networks 


16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 
ABSTRACT 

18.  NUMBER 

OF  PAGES 

19a.  NAME  OF  RESPONSIBLE  PERSON 

ROBERT  L.  KAMINSKI 

a.  REPORT 

U 

b.  ABSTRACT 

U 

c.  THIS  PAGE 

U 

SAR 

48 

19b.  TELEPHONE  NUMBER  ( Include  area  code) 

N/A 

Standard  Form  298  (Rev.  8-98) 
Prescribed  by  ANSI  Std.  Z39.18 


Contents 


Figures  ii 

Tables  iii 

1  Summary .  1 

2  Introduction .  2 

2.1  What  is  a  “complex”  networked  environment? .  2 

2.2  What  is  the  network  design  cycle? .  3 

3  Methods,  Assumptions,  and  Procedures .  4 

4  Results  and  Discussion  4 

4.1  Using  signal  structure  to  map  and  detect  interference  in 

wireless  mesh  networks .  4 

4.1.1  Background .  4 

4.1.2  Modelingthe  802.11  MAC .  7 

4.1.3  Wireless  Network  Mapping .  14 

4.1.4  Transitory  Interference  Detection .  15 

4.2  Necessary  and  sufficient  conditions  for  network  reconstruction .  20 

4.3  Vulnerability  of  open-  and  closed-loop  systems .  26 

4.3.1  Attack  Models .  26 

4.3.2  Link  Models .  27 

4.3.3  Background:  Dynamical  Structure  Function .  28 

4.3.4  Vulnerable  Links  .  30 

4.3.5  Numerical  Example .  35 

4.4  Design  of  stabilizing  distributed  controllers  with  arbitrary  signal  structure 

constraints .  36 

5  Conclusions .  40 

6  References .  41 

7  Acronyms  .  42 


Figures 

List  of  Figures 

1  The  Network  Design  Cycle .  4 

2  Structures  given  by:  (a)  the  state  space,  (b)  the  transfer  function,  and  (c)  the 

dynamical  structure  function.  Here,  x-i  is  a  hidden  state:  it  is  not  measured 
directly  and  as  a  result  is  not  seen  in  the  DSF  representation .  7 

3  Model  validation,  man-in-the-middle  graph .  11 

4  Model  validation,  6-chain  graph .  12 

5  Model  validation,  6-cycle  graph .  13 

6  Example  wireless  network,  with  transitory  devices  shown  in  red,  along  with 

corresponding  contention  graph .  16 

7  Structure  of  the  DSF  before  and  after  intrusion .  17 

8  Perturbation  Experiments  for  Wireless  Network  without  Transitory  Interference  18 

9  Perturbation  Experiments  for  Wireless  Network  with  Transitory  Interference  19 

1 0  The  system  with  the  perturbation  A.  Black  arrows  indicate  secure  links,  while 

blue  arrows  indicate  vulnerable  links .  30 

1 1  System  with  the  perturbation  Ae/e^  .  31 

12  Necessary  and  sufficient  condition  for  stability  of  the  system  in  Figure  11..  31 

13  A  system  with  a  secure  link  in  a  cycle.  Black  arrows  represent  the  secure  links.  3  4 

14  Vulnerable  and  secure  architectures  for  the  same  transfer  function.  Black  links 

are  secure,  vulnerable  links  are  colored  blue,  yellow,  and  red  in  the  increasing 
order  of  their  vulnerability. .  36 


ii 


Tables 


List  of  Tables 


1  Reconstruction  Without  Transient  Interference .  18 

2  Reconstruction  With  Transient  Interference .  21 


1.0  Summary 


This  work  presents  results  exploring  the  use  of  dynamical  structure  functions,  and  their 
associated  signal  structure,  as  a  modeling  tool  to  map  and  detect  the  interference  structure 
in  wireless  mesh  networks.  As  wireless  networks  become  more  pervasive,  it  is  increasingly 
important  to  have  efficient  algorithms  for  mapping  the  network  and  detecting  interfering 
devices  that  can  impact  performance.  Recent  work  on  partial  structure  representations  of 
linear  time  invariant  controlled  dynamic  systems  offers  a  vehicle  for  addressing  these  issues 
in  new  and  efficient  ways.  In  particular,  we  use  the  signal  structure,  which  is  the  open- 
loop  causal  relationships  among  signals,  to  represent  causal  relationships  between  links  in 
a  wireless  network.  To  accomplish  this,  we  develop  a  smooth,  differential  equation  model 
for  the  802.11  MAC  and  validate  it  using  ns-3  simulations.  We  then  propose  a  network 
mapping  protocol  that  constructs  the  signal  structure  of  the  network  during  live  operation 
using  O(n)  perturbation  experiments.  Each  experiment  deliberately  changes  the  sending 
rate  on  a  particular  link,  while  monitoring  the  actual  rates  realized  across  the  network. 
The  resulting  map  indicates  causal  relationships  between  link  rates,  rather  than  its  physical 
topology.  This  allows  us  to  detect  intrusive  devices  that  temporarily  disrupt  communication 
and  impair  system  performance. 

To  support  this  use  of  the  signal  structure  for  mapping  interference  in  wireless  mesh 
networks,  we  also  extend  previous  theoretical  work  in  the  conditions  needed  to  reconstruct  a 
network  from  data.  In  particular,  we  demonstrate  precisely  the  a  priori  structural 
information  that  is  both  necessary  and  sufficient  to  reconstruct  a  network  from  input- 
output  data. 

We  then  consider  the  security  issues  arising  from  networks  with  particular  structures 
and  develop  a  theory  of  vulnerability  for  both  open  and  closed  loop  systems.  We  consider 
destabilizing  attacks,  which  are  attacks  on  a  single  link  within  a  system  that  could  potentially 
destabilize  the  entire  system.  We  define  the  vulnerability  of  a  link  to  be  the  inverse  of  the 
effort  required  on  that  link  to  destabilize  the  system.  With  these  definitions,  we  formulate  two 
problems  where  we  wish  to  minimize  vulnerability.  The  first,  the  open-loop  problem,  exists 
when  we  are  given  a  fixed  system  design  and  have  complete  control  over  its  implementation. 
We  show  that  for  such  a  system,  we  can  always  create  a  completely-secure  implementation 
an  implementation  with  zero  vulnerability  if  we  eliminate  all  internal  feedback  from  the 
systems  structure.  The  second,  the  closed-loop  problem,  occurs  when  there  exists  some 
restrictions  to  the  systems  implementation.  In  particular,  we  consider  the  case  where 
the  system  is  implemented  by  two  subsystems  of  given  design  are  connected  in  feedback. 
We  show  that  the  vulnerability  of  one  system  is  only  dependent  on  the  design  and  not  the 
implementation  of  the  other.  We  then  show  that  removing  internal  feedback  from  a 
subsystem  does  not  necessarily  minimize  vulnerability;  that  it  is  possible  to  fight  fire  with 
fire  and  use  internal  feedback  to  combat  the  vulnerability  introduced  by  connecting  systems 
in  feedback. 

Finally,  we  consider  the  problem  of  synthesizing  systems  with  a  particular  network 
structure.  In  particular,  we  consider  the  design  of  feedback  controllers  that  are  designed 
to  stabilize  a  given  unstable  system  but  must  have  a  particular  (specified)  network 
structure.  Although  this  problem  is  known  to  be  hard  in  general,  we  consider  a  particular 
heuristic  and  demonstrate  that  either  our  design  process  yields  stabilizing  controller  with 
the  desired  structure,  or  no  such  controller  exists. 
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2.0  Introduction 


The  study  of  network  environments  have  received  considerable  attention  from  various 
disciplines  over  the  last  20  years.  This  is  in  part  due  to  the  rise  of  the  internet,  but  it  also 
is  due  to  advances  in  biology  that  have  brought  new  kinds  of  networked  “machines”  into 
clear  view  that  contrast  sharply  with  our  solid-state,  engineered  systems.  The  research 
discussed  here  takes  a  fresh  view  of  these  new,  “complex”  network  environments  and 
answers  fundamental  questions  about  1)  the  design  of  experiments  necessary  to  discover 
their  structure  (and  thus  adapt  system  inputs  to  optimize  the  resulting  performance),  and 
2)  the  relation-  ship  between  network  structure  to  vulnerability  and  attack,  and  3)  the 
design  of  stabilizing  feedback  systems  that  respect  a  particular  network  structure. 

Specifically,  this  work  explores  these  issues  in  the  context  of  both  wireless  mesh  networks. 
This  research  unites  theoretical  work  that  clarifies  fundamental  limitations  of  complex  net¬ 
works  with  network  engineering  to  implement  specific  designs  and  experimentally  verify  the 
theoretical  discoveries  in  what  we  call  the  “network  design  cycle.”  Although  more  work  is 
needed  to  compare  that  behavior  of  real  networks  with  our  models,  this  work  lays  a  clear 
foundation  for  subsequent  results. 

2.1  What  is  a  “complex”  networked  environment? 

The  descriptor  “complex”  has  been  used  in  other  studies  to  characterize  networks  that  are 
large,  meaning  that  a  graph  used  to  represent  the  network  has  a  large  number  of  nodes. 
Often  the  number  of  edges  is  also  taken  to  be  large  and  devoid  of  certain  regular  structure, 
so  that,  for  example,  a  tree-structured  graph  would  not  be  considered  “complex.”  In  these 
studies  one  typically  looks  for  hidden  regularities  or  patterns  that  characterize  the  structure 
of  the  graph  in  simple  terms  in  spite  of  these  other  “complexities.”  A  typical  example  would 
be  small-world  networks. 

In  this  work,  we  consider  different  environments,  where  “network”  refers  to  an  inter¬ 
connected  dynamical  system.  In  these  environments,  system  behavior  is  as  important  a 
characteristic  of  the  network  as  is  its  structure.  The  descriptor  “complex”  then  refers  to 
both  the  network  behavior  as  well  as  its  structure. 

This  work  addresses  networks  with  complex  behavior  by  considering  systems  with 
underlying  nonlinear  dynamics  and  noisy  measurements.  As  a  first  step,  the  results 
presented  here  leverage  Lyapunov  theory  to  apply  linear  analysis  locally  to  regions  near 
equilibria  of  the  underlying  nonlinear  system.  Extending  these  results  globally  to  the 
underlying  non-  linear  system  is  not  immediately  obvious  and  requires  new  thinking  about 
the  meaning  of  structure,  beyond  that  already  developed  in  this  research.  As  a  result, 
global  analysis  is  left  for  future  research. 

This  work  also  addresses  networks  with  complex  structure.  Besides  the  usual  definition, 
of  a  “complex”  network  structure  represented  by  a  graph  with  a  large  number  of  nodes  and 
non-trivial  edge  patterns  (e.g.  allowing  for  arbitrarily  complicated  feedback  relationships), 
this  work  also  makes  a  particular  contribution  by  developing  representation  and  analysis  tools 
applicable  to  networks  of  dynamical  systems  with  potential  hidden  entanglements  among  un¬ 
measured  variables.  This  “potential  entanglement”  type  of  network  complexity  is  previously 
unaddressed  in  the  literature,  yet  it  becomes  particularly  important  for  inferring  network 
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structure  from  behavioral  data. 

Appreciating  the  power  of  structural  representations  that  allow  for  potential 
entanglement  among  unmeasured  variables  to  simplify  network  inference  problems  is 
subtle,  but  it  is  a  central  contribution  of  this  research  program.  Consider,  for  example,  a 
network  that  is  composed  of  the  interconnection  of  various  subsystems.  By  definition, 
each  subsystem’s  internal  states  only  affect  that  subsystem,  and  the  interconnection 
variables  are  themselves  measured  quantities.  Inferring  this  network  “subsystem” 
interconnection  structure  from  data  thus  demands  the  discovery  of  the  true  partition  of  all 
of  the  system’s  unmeasured  states  into  their  appropriate  subsystem  components. 
Discovering  such  a  partition  from  measured  data  can  be  extremely  difficult  or  impossible. 
This  research,  on  the  other  hand,  leverages  a  different  representation  of  system  structure, 
called  signal  structure,  that  does  not  rely  on  the  idea  of  subsystems  and  allows  for  potential 
entanglement  among  unmeasured  states.  As  a  result,  inferring  a  system’s  signal  structure 
requires  much  less  information,  and  thus  fewer  experiments,  than  inferring  a  system’s 
subsystem  structure. 

One  contribution  of  this  research  is  to  thoroughly  understand  the  relationships  between 
a  system’s  subsystem  and  signal  structures.  Often,  systems  with  solid-state  components 
(such  as  routers  in  the  internet)  have  subsystem  and  signal  structures  that  are  equivalent. 
Sometimes,  however,  systems  have  a  fluid-like  character  (such  as  bio-chemical  reaction  net¬ 
works  or  wireless  mesh  networks)  and  the  resulting  subsystem  and  signal  structures  can  be 
very  different.  Characterizing  informativity  conditions  and  developing  scalable  algorithms 
for  network  reconstruction  (i.e.  inference)  of  signal  structure  are  among  the  primary 
theoretical  contributions  of  this  effort.  These  models  of  complex  networked  environments 
also  facilitate  a  novel  robustness  analysis  that  leads  to  new  results  about  system  vulnerability 
and  security.  Moreover,  designing  systems  that  meet  network  constraints  yet  accomplish 
specific  tasks,  such  as  the  stabilization  of  a  given  system,  is  known  to  be  a  hard  problem. 
Nevertheless,  we  offer  a  heuristic  that  either  results  in  the  desired  design  or  proves  no  such 
design  exists.  These  contributions  are  highlighted  when  applied  to  complex  network 
environments  that  exhibit  both  the  behavioral  and  structural  complexity  as  described. 

2.2  What  is  the  network  design  cycle? 

Besides  the  theoretical  contributions  of  this  work,  this  research  represents  an  active 
collaboration  between  theoretical  development  and  physical  implementation  and  testing 
on  real  complex  networks.  This  collaboration  is  most  evident  in  our  work  on  wireless 
mesh  networks,  where  active  modeling  and  protocol  design  efforts  lead  to  simulation, 
implementation,  and  experimental  testing  on  our  live  wireless  mesh  test-bed.  Similar 
collaborations  for  bio-chemical  reaction  networks  began  to  emerge  during  this  study,  but 
the  implementation  and  experimental  testing  is  incomplete  and  part  of  ongoing  research. 

The  network  design  cycle  defines  the  scientific  process  we  engage  that  unites  our 
theoretical  and  applied  work.  The  next  section  discusses  how  we  use  the  Network  Design 
Cycle  to  interconnect  our  theoretical  results  to  applications,  such  as  wireless  mesh 
networks.  Section  3  then  details  our  results  modeling  wireless  mesh  networks,  developing 
informatively  conditions  for  network  reconstruction,  introducing  a  theory  of  vulnerability, 
and  presenting  a  heuristic  for  designing  stabilizing  distributed  feedback  controllers  with  a 
specific  network  structure  (or  showing  that  no  such  controller  exists). 
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Figure  1 :  The  Network  Design  Cycle 

3.0  Methods,  Assumptions,  and  Procedures 

To  address  these  problems,  our  work  uses  a  method  we  call  the  Network  Design  Cycle,  as 
shown  in  Figure  1.  We  start  by  formulating  a  mathematical  model  of  the  network,  precisely 
characterizing  how  it  operates.  In  a  wireless  network,  this  may  involve  describing  how  nodes 
interact  via  carrier  sensing  and  interference.  Based  on  this  model,  we  carefully  formulate 
the  research  problem,  such  as  providing  optimal  performance  or  detecting  malicious  nodes. 
The  next  step  is  to  design  algorithms  and  protocols  that  will  solve  the  problem.  We  then 
implement  the  solution,  which  often  requires  considering  additional  complexities  that  arise 
when  building  and  deploying  code  on  a  network.  Finally,  we  run  experiments  to  validate  that 
the  solution  works  as  designed,  for  example  by  providing  optimal  performance  or  security 
guarantees.  If  performance  deviates  from  what  is  expected,  this  means  that  our  original 
model  or  problem  formulation  was  wrong.  This  leads  to  another  iteration  of  the  design 
cycle,  where  we  create  a  refined  model  or  reformulate  the  problem. 

For  the  steps  that  involve  implementation  and  experimental  evaluation,  we  use  a  variety 
of  tools.  We  use  MATLAB  to  numerically  evaluate  algorithms,  ensuring  that  they  converge 
to  the  expected  solution  and,  in  some  cases,  provide  optimal  performance.  For  experimental 
testing,  we  use  a  wireless  mesh  network  deployed  in  our  department’s  building,  consisting 
of  30+  computers  configured  as  wireless  routers,  spread  over  two  floors.  The  mesh  network 
can  be  configured  so  that  it  uses  802.11a,  and  we  ensure  that  we  select  a  channel  with  no 
other  traffic,  so  that  we  can  run  experiments  without  any  outside  noise  when  desired.  Our 
protocols  are  implemented  using  WiFi,  a  toolkit  developed  with  funding  from  NSF  that 
enables  rapid  deployment  of  experimental  wireless  protocols  in  user-space. 

4  Results  and  Discussion 

4.1  Using  signal  structure  to  map  and  detect  interference  in 
wireless  mesh  networks 

4.1.1  Background 

Dynamical  structure  functions  are  a  representation  for  linear  time  invariant  systems 
developed  in  [5].  A  DSF  gives  a  partial  representation  of  the  structure  of  the  system,  namely 
how  the  inputs  affect  the  manifest  states  and  how  the  manifest  states  affect  each  other.  A 
brief  derivation  is  provided  below;  for  a  full  derivation  see  [17]. 

Let  us  consider  a  state-space  LTI  system 
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Herey  are  the  states  that  are  measured,  and  x  are  the  hidden  states.  Note  that  the 
assumption  in  the  second  equation  is  made  for  notational  convenience. 

Taking  Laplace  Transforms  of  the  signals  in  (1),  we  get 


sY~ 

A\\  A12 

y" 

"A 

sX 

A2\  A2  2 

X 

+ 

b2_ 

(2) 


Solving  for  X  in  the  second  equation  of  2  gives 

X  =  (si  -  AnY'An  Y  +  (si  -A22Y'B2U 

Substituting  into  the  first  equation  of  (2)  we  get, 

sY  =  WY+VU, 

where  W  =  A^+A^2(sl  ~A22)~^A2^  and  V  =  /A12(s/  -A22)~^B2+B^.  Let  D  be  a  diagonal 
matrix  with  the  diagonal  entries  of  W.  Then, 

(si  -  D)Y  =  (1/1/  -  D)Y  +  VU. 

Now  we  can  rewrite  this  equation  as, 


Y  =  QY  +  PU,  (3) 

where 

Q=(sl  -DY\W  -  D ) 

P  =  (si  -  D)_1  V. 

The  matrix  Q  is  a  matrix  of  transfer  functions  from  Y/  to  Yj,  //=  j,  relating  each  measured 
signal  to  the  other  measured  signals.  A  nonzero  entry  in  Qy,  says  that  the  signal  Y,-  affects  the 
signal  V)  either  directly  or  through  some  hidden  states.  Note  that  Q  is  zero  on  the  diagonal 
and  either  zero  or  a  strictly  proper  transfer  function  on  the  off  diagonal.  The  matrix  P  is  a 
matrix  of  zeros  or  strictly  proper  transfer  functions  from  each  input  to  each  output  without 
depending  on  any  additional  measured  states.  Together,  the  pair  (Q(s),  P(s))  is  called  the 
dynamical  structure  function  for  system  (1).  The  transfer  function  matrix  for  this  system 
is  given  by 

G  =  (/  -  Q)-1P  =  C(sl  -  AY'B. 

An  example  of  the  dynamical  structure  function  representation  of  an  LTI  system  is  given  in 
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Examplel .  Example  1.  Let  us  consider  a  system  with  two  measured  states  given  by  the 
following  state  space  equation. 
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The  DSF  for  this  system  is  given  by, 


Q= 


P= 


o 


(s+l)  (s+5) 
s+3 


s2+7s+9 
6  0 


s^+7  s+9 

o 


2  (s+l)  1  2  (s+5)  J 


and  the  transfer  function  is  given  by 


G  = 


(s+l)  (s+5) 


s3+10s2+26s+ll  s3+10s2+26s+ll 

_ 6 _  sa+7s+9 

s3+10s2+26s+ll  «3+10s2+26«+ll 


(4) 


Figure  2  shows  a  graphical  view  of  this  system  in  various  representations.  Figure  2(a) 
shows  the  state  space  realization  of  the  system,  which  contains  information  about  the 
dependency  among  input,  state,  and  output  variables.  Essentially,  the  state  space  of  the 
system  defines  both  the  structure  and  dynamics  of  the  entire  network.  A  simpler 
representation  is  shown  in  Figure  2(b),  the  system’s  transfer  function  contains  the  dynamics 
of  the  system,  but  yields  no  information  about  the  structure  of  the  network.  In  Figure  2(c) 
the  DSF  of  this  system  shows  the  relationship  between  the  measured  states,  y- \  and  y2, 
something  not  visible  from  the  system’s  transfer  function.  In  the  situations  when  a  complete 
state  space  model  of  the  system  cannot  be  obtained,  a  DSF  model  of  the  system  can  be  used 
to  obtain  a  partial  structure  of  the  system.  Note  that  when  all  the  states  are  measured, 
DSF  models  give  the  actual  structure  of  the  system. 

For  a  given  network  system,  if  we  know  sufficient  information  about  how  the  inputs  affect 
the  measured  states  then  we  can  reconstruct  the  DSF  of  the  system  from  the  input-output 
data.  A  sufficient  condition  for  the  reconstructibility  is  that  if  P  is  square  and  diagonal 
and  G  is  invertible[5].  This  method  has  been  used  successfully  to  identify  the  structure  of 
biochemical  networks  in  [7].  Since  these  biological  systems  are  highly  nonlinear,  an 
equilibrium  is  chosen  for  the  reconstruction.  Then,  the  input  is  provided  as  small 
perturbations  to  the  equilibrium  input  and  the  corresponding  perturbed  outputs  are 
measured.  Once  the  inputs  and  equilibrium  outputs  are  collected,  reconstruction  can  be  done 
using  the  technique  described  in  [18]. 
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A — A  A  A — A 

(a)  Complete  structure  of  the  system  (4).  This  can  be  obtained  if  the  state  space  model  of  the 
system  is  known. 


(b)  Structure  given  by  the  Transfer  Function  of  system  (4). 


<hi 


<hi 

(c)  Structure  given  by  the  DSF  of  system  (4). 


Figure  2:  Structures  given  by:  (a)  the  state  space,  (b)  the  transfer  function,  and  (c)  the 
dynamical  structure  function.  Here,  x-i  is  a  hidden  state:  it  is  not  measured  directly  and  as 
a  result  is  not  seen  in  the  DSF  representation. 

4.1.2  Modeling  the  802.11  MAC 

Our  mapping  methodology  uses  the  reconstruction  method  given  in  [18],  which  assumes  that 
the  actual  nonlinear  system  is  smooth,  i.e.  it  can  be  modeled  as  a  system  of  differential 
equations.  However,  we  know  that  wireless  networks  are  discrete  event  systems  with 
dynamics  determined  by  the  choice  of  the  sending  nodes  to  send  packets  at  certain  times. 

In  this  section,  we  show  that  although  wireless  networks  are  discrete  event  systems,  their 
equilibrium  properties  as  well  as  the  transition  dynamics  can  be  captured  by  differential 
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equations.  Model  Description 

We  seek  to  develop  a  continuous,  differential  model  for  the  carrier  sensing  and  back¬ 
off  behavior  of  the  802.11  MAC.  Packets  sent  to  the  MAC  layer  from  TCP  and  IP  are  queued 
in  the  MAC  layer  until  they  can  be  transmitted.  Queued  packets  are  sent  as  soon  as 
possible,  leading  the  MAC  to  consume  all  available  bandwidth.  Instantaneous  sending  rates 
are  either  zero  or  the  full  link  speed.  To  facilitate  analysis,  we  consider  instead  the  average 
rate  over  a  sliding  window.  This  smooths  the  discontinuities  of  instantaneous  rates  and 
allows  us  to  accurately  model  rate  dynamics  with  differential  equations. 

We  consider  wireless  networks  from  a  link  point  of  view.  Let  X/denote  the  normalized 
sending  rate  of  link  /  and  let  bt  denote  the  buffer  size.  The  rate  of  change  in  the  buffer 
size  is  the  difference  between  the  rate  of  packet  arrival  and  departure  from  the  buffer,  i.e. 

=  Uj  -  Xj  where  u,  is  the  rate  at  which  packets  are  sent  from  higher  layers  to  the  MAC 
layer. 

The  dynamics  for  x,-  should  move  x,  to  consume  the  available  rate.  To  determine  how 
much  bandwidth  is  available  to  link  x,-,  it  is  useful  to  view  normalized  rates  as  the  probability 
that  a  particular  link  is  active  at  a  given  time.  The  bandwidth  available  to  link  /  is  the 
probability  that  none  of  the  links  are  active  which  contend  with  link  /. 

Let  X,  denote  a  Bernoulli  random  variable  indicating  whether  link  /  is  broadcasting,  i.e., 
P(X/  =  1)  =  Xj  and  P(X,-  =  0)  =  1  -x,.  Similarly,  let  X,  be  a  Bernoulli  random  variable 
indicating  whether  any  link  contending  with  link  /  is  broadcasting.  By  the  Law  of  Total 
Probability,  the  bandwidth  available  to  link  /  is 

P(Xj  =  0)  =P(X,  =  1  )P(Xj  =  0 1  Xj  =  1 ) 

+P  (Xj  =  0)P  (Xj  =  0 1  Xj  =  0).  (5) 

We  assume  that  two  contending  links  never  broadcast  concurrently, so  P(X,-  =  0  |X,-  = 

1)  =  1.  We  assume  temporarily,  for  clarity  of  exposition,  that  link  /  is  the  only  common 
link  between  cliques. 

To  avoid  wasting  bandwidth,  the  available  rate  should  only  influence  the  dynamics  for  link  / 
when  there  are  buffered  packets  ready  to  be  sent.  This  effect  could  be  modeled  using  a  step 
function  but  would  introduce  a  discontinuity  into  the  dynamics.  Instead,  we  use  a 

sigmoid  as  a  continuous  approximation,  i.e.,  o(b )  =  1  where  a  dictates  the  slope  of  the 

sigmoid  at  zero.  For  our  simulations,  we  let  a  =  1 . 

The  802.1 1  MAC  dictates  short  periods  of  mandatory  silence  following  each  transmission. 
In  addition  to  fixed  length  delays,  stations  are  required  to  wait  for  a  period  of  random 
duration  before  transmitting.  This  is  done  to  avoid  collisions  caused  by  multiple  stations 
attempting  to  broadcast  immediately  following  the  end  of  a  transmission.  The  random 
back-off  time  is  chosen  uniformly  within  a  range  known  as  the  contention  window.  The 
combination  of  mandatory  silence  and  the  random  back-off  decreases  the  maximum  achievable 

throughput.  We  denote  the  proportion  of  achievable  throughput  for  link  /  by  /3,-  e  (0, 1). 

The  overall  dynamics  for  a  topology  having  at  most  one  common  link  between  any  two 
cliques  are 
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Uj  Xi 
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fc£Lj\i 


1  -  Xi 


£  **\\ 


1 ) 


To  generalize  the  result  to  allow  for  more  overlap  between  cliques,  let 


0/  =  {/}  u  {J :  3/c,  I,  k/=  \,j  €  Lk  ,j  e  /.,,  and  k,  /  e  C,} 


denote  the  set  of  links  common  to  multiple  cliques  in  C,-.  The  union  with  {/'}  ensures  the 
model  simplifies  correctly  in  the  case  where  link  /  belongs  to  a  single  clique.  Allowing  for 
this  in  the  preceding  development  leads  to  the  dynamics 


(7) 


Uj  -T.j 


Methodology 

To  validate  our  model  we  compare  a  MATLAB  computation  of  the  differential  model 
to  packet-level  ns-3  simulations.  (For  validations  of  the  ns-3  simulator  itself,  see  [3].)  We 
simulate  various  contention  relationships  and  monitor  all  carrier  sensing  behavior  in  the 
network.  We  calculate  rates  for  a  link  as  the  normalized  ratio  of  successful  channel  accesses 
as  compare  to  total  airtime. 

For  each  simulation,  we  create  a  wireless  network  consisting  of  a  set  of  senders  and 
receivers  placed  a  fixed  distance  from  one  another.  An  application  at  each  sender  transmits 
packets  of  uniform  size  to  its  designated  receiver  counterpart  at  a  specified  rate.  The  u 
parameter  of  our  model  represents  the  rate  at  which  packets  are  sent  from  higher  layers 
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to  the  MAC  layer.  Host  start  times  are  staggered  in  one  second  increments,  and  run  for  a 
duration  of  500  seconds.  During  this  time,  whenever  a  host  successfully  captures  the  medium, 
i.e.  clears  carrier  sensing,  a  logger  hooked  into  the  MAC  layer  records  this  information  along 
with  a  timestamp.  It  is  the  collection  of  this  data  across  all  sending  hosts  in  the  network 
that  comprises  our  data  set. 

Each  host  in  the  simulated  environment  houses  a  full  network  stack,  utilizing  the  IEEE 
802.1 1g  protocol  for  communication.  Link  speeds  are  set  using  a  baseline  of  6  Mbps,  the 
default  802.11  access  point  broadcast  rate.  End-to-end  transmission  is  achieved  via  the 
UDP  transport  protocol,  avoiding  the  extra  complexities  of  reliability  and  congestion  control 
inherent  in  TCP.  Standard  Ethernet  MTU  packet  sizes  of  1500  bytes  are  used,  and  MAC 
layer  retries  are  disabled,  so  as  to  avoid  influencing  simulation  results. 

Validation 

We  validate  our  model  using  three  different  topologies,  involving  paths  and  cycles  of 
various  lengths.  We  construct  chain  topologies  such  that  all  nodes  are  equally  spaced  along 
a  straight  line,  and  for  any  three  sequential  nodes  along  the  path,  the  left  node  and  right 
node  are  in  contention  range  only  of  the  center  node  and  not  with  one  another,  whereas  the 
center  node  is  in  contention  range  with  both  edge  nodes.  We  construct  cycle  topologies  as 
regular  n-sided  polygons,  where  each  node  contends  with  exactly  two  other  nodes,  its  direct 
neighbors. 

We  begin  the  validation  with  a  3-chain,  or  a  man-in-the-middle  topology.  As  shown  in 
Fig.  3,  both  our  model  and  the  simulator  accurately  capture  the  starvation  of  the  link  in  the 
middle,  a  well-known  result.  In  this  case,  our  model  uses  U  =  [1  1  1],  a  =  1,  and/3  =  0.875. 
A  controller  for  this  network  would  limit  the  sending  rates  of  the  outer  links,  allowing  the 
link  in  the  middle  more  bandwidth.  When  the  outer  links  are  given  reduced  rates,  our  model 
agrees  very  closely  with  ns-3  in  giving  the  additional  bandwidth  to  the  link  in  the  middle.  To 
do  this,  the  /3  parameter  in  our  model  must  be  varied,  a  direct  result  of  differing  contention 
window  sizes  affecting  how  much  of  the  channel  capacity  is  lost  to  overhead. 

The  next  topology  we  consider  is  a  chain  of  six  links.  As  shown  in  Fig.  4,  both  our  model 
and  ns-3  capture  the  behavior  of  the  MAC  properly  in  this  case.  In  this  case  our  model  uses 
U  =  [1  1  1  1  1  1],  a  =  1 ,  and  /3  =  0.85.  Removing  the  contention  between  links  3  and  4 
would  result  in  two  man-in-the-middle  topologies  starving  links  2  and  5.  However,  with  this 
contention  between  links  3  and  4  reduces  their  achievable  sending  rates,  which  in  turn  allows 
more  airtime  for  links  2  and  5. 

Fig.  5  shows  simulation  results  from  a  cycle  of  six  links.  In  this  case  our  model  uses 
U  =  [111111],  a  =  1,  and  (3  =  0.85.  The  ns-3  results  for  this  topology  show  considerable 
short-term  variation  in  link  rates  over  time.  This  is  a  result  of  short-term  (on  the  order  of 
a  second)  starvation  among  the  links.  Stations  alternate  between  starvation  and  exclusively 
capturing  the  medium  within  the  link’s  cliques.  The  irregular  alternations  combined  with  a 
sliding  window  average  results  in  the  plot  shown  in  Fig.  5.  We  reiterate  that  our  model  does 
not  attempt  to  predict  such  fast  dynamics  but  seeks  to  accurately  predict  average  rates. 

Finally,  we  use  a  bowtie  topology,  consisting  of  a  four  links  arranged  in  a  square,  with 
a  single  link  in  the  middle.  Like  the  man-in-the-middle  topology,  the  middle  link  is  easily 
starved.  The  differential  model  is  again  accurate  in  capturing  the  dynamics  and  steady-state 
behavior  of  the  MAC  in  this  case,  with  U  =  [1  1  1  1  1],  a  =  1 ,  and  (3  =  0.9. 
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MATLAB 


ns-3 


Figure  3:  Model  validation,  man-in-the-middle  graph 
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MATLAB 


ns-3 


Figure  4:  Model  validation,  6-chain  graph 
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MATLAB 


ns-3 


Figure  5:  Model  validation,  6-cycle  graph 
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4.1.3  Wireless  Network  Mapping 

Having  modeled  the  IEEE  802.11  MAC  using  differential  equations,  we  can  now  construct 
the  signal  structure  of  the  network  using  a  robust  reconstruction  process.  The 
reconstruction  process  allows  us  to  determine  the  DSF  from  noisy  data  collected  from 
perturbation  experiments  on  the  wireless  network.  The  procedure  we  utilize  is  a 
generalization  of  the  one  detailed  in  [18].  We  first  present  a  mathematical  description  of 
the  general  robust  network  reconstruction  process  before  providing  an  algorithm  that 
applies  this  process  to  a  wireless  network. 

General  Network  Reconstruction  Process 

Solving  the  network  reconstruction  problem  from  noisy  data  means  determining  the 
correct  structure  of  the  Q  matrix,  which  shows  the  interaction  between  measured  links  in 

the  wireless  network.  If  there  arep  links  in  the  network,  then  Q  has  p2  -  p  unknowns  and 

we  want  to  quantify  the  smallest  distance  from  the  system’s  transfer  function  G  to  all 

possible  boolean  structures  for  Q,  noting  that  there  are  2p2_p  of  them.  Small  distances  will 
correspond  to  candidates  for  the  correct  structure,  while  large  distances  will  mean  that  the 
structures  are  highly  unlikely  to  be  the  correct  structure  of  the  network. 

There  are  a  number  of  ways  to  model  input-output  data  with  noise  and  nonlinearities; 
we  consider  the  additive  uncertainty  model.  We  examine  the  system  A  =  G-X ,  where  X  is 

the  true  system,  G  is  the  estimate  of  the  system  and  A  represents  the  unmodelled  dynamics. 
Giving  the  system  an  input  U  yields  GO  -  XU.  Since  Y  =  GU,  the  resulting  system  is 

Y  -  XU.  Moreover,  given  that  X  is  the  true  system,  we  know  that  X  =  (/  -  Q)_1P ,  so 
the  system  then  becomes  Y  -  (/  -  Q)_1Pl/.  Multiplying  on  the  left  by  (/  -  Q)  gives  us 
(/  -  Q)Y  -  PU.  Multiplying  the  system  out  gives  us  Y  -  QY  -  PU,  where  the  values  of 
Q  and  P  are  unknown. 

The  noisy  version  of  this  system  can  be  solved  using  total  least  squares  or  the 
simpler  least  squares,  which  ignores  the  impact  of  noise  on  the  operator,  M ,  but  is 
computationally  simpler. 

Algorithm  for  Robust  Reconstruction  of  Wireless  Networks 

First,  we  note  that  a  wireless  network  is  reconstructible  according  to  the  necessary  and 
sufficient  informativity  conditions  provided  in  [1].  Since  each  link  in  a  wireless  network 
can  be  perturbed  independently  of  the  others,  that  the  structure  of  P  is  diagonal,  which  is 
sufficient  a  priori  information  to  make  the  system  reconstructible,  as  noted  in  [5]. 

Second,  before  we  must  ensure  that  the  network  is  in  an  equilibrium  state,  which  can  be 
achieved  using  rate  controllers  on  the  wireless  network.  The  system  must  be  in  equilibrium 
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since  we  are  applying  linear  tools  to  a  nonlinear  system,  and  we  know  the  performance  of  a 
nonlinear  system  is  similar  to  that  of  the  linearized  system  close  to  equilibrium. 

We  now  provide  an  algorithm  for  the  reconstruction  of  wireless  networks: 

Step  1:  Perturb  each  link  /  (usually  with  a  step  input),  where  each  perturbation  is  large 
enough  to  escape  the  sensor  or  measurement  noise,  but  small  enough  to  ensure  it  remains 
in  the  same  basin  of  attraction  for  the  equilibrium  chosen.  After  each  perturbation,  the 
rate  on  every  link  in  the  network  should  be  measured  until  the  transient  response  from  the 
perturbation  is  complete  and  the  system  settles  into  a  steady  state. 

Step  2:  The  third  step  is  to  solve  the  total  least  squares  problem  defined  below  for  all 
2p2_p  boolean  structures  to  determine  the  distance  ak  for  the  kth  boolean  structure.  We 
could  simplify  this  process  further  by  restricting  the  search  space  of  boolean  structures  to 
only  include  symmetric  structures,  since  in  wireless  networks  we  consider  interference  to  be 
biderectional,  which  would  mean  that  the  structure  of  Q  is  always  symmetric. 

The  total  least  squares  problem  is  defined  as: 

min  1 1  [ Ai  el]  ||«, 

X 

subject  to 

[M  +  Aj]  x  =  y  +  ei 

Alternatively,  one  could  solved  a  typical  least  squares  problem: 

min  | \y  -  Mx |  | 

X 

which  is  simpler  to  compute,  but  sacrifices  accuracy  by  ignoring  the  noise  on  the  operator, 

M. 

Step  3:  Given  an  ak corresponding  to  each  boolean  structure,  use  an  information  criterion, 
such  asAkaike  Information  Criterion  (AIC),  the  Bayesian  Information  Criterion  (BIC), 
or  a  variant  (such  as  AlCc),  to  select  the  DSF  that  best  models  the  data.  A  full  DSF  can 
always  fit  the  noise  better  and  achieve  a  lower  a  score.  To  correct  this  problem,  an 
information  criterion  weights  the  complexity  of  the  DSF,  in  terms  of  number  of  edges  in  the 
DSF,  to  find  a  network  structure  that  achieves  a  low  a  score  with  as  few  edges  as 
possible.  As  a  practical  matter,  one  needs  to  tune  the  weights  of  the  information  criterion 
function  to  target  the  right  degree  of  sparsity  expected  for  any  given  application. 

For  simplicity,  we  assume  a  centralized  controller  can  perform  the  perturbation 
experiments,  collect  the  data,  and  run  the  reconstruction  algorithm.  Note  that  the 
algorithm  works  for  any  differential  equation  model  of  the  802.11  MAC,  not  just  the  one 
developed  here. 

For  simplicity,  we  assume  a  centralized  controller  can  perform  the  perturbation 
experiments,  collect  the  data,  and  run  the  reconstruction  algorithm.  Note  that  the 
algorithm  works  for  any  differential  equation  model  of  the  802.11  MAC,  not  just  the  one 
developed  here. 

4.1.4  Transitory  Interference  Detection 

We  now  use  the  differential  model  of  the  MAC  presented  in  Section  7.1.2  to  show  that  the 
DSF  of  the  system  changes  when  interfering  devices  are  physically  present  in  a  wireless 
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Contention  Region  1 


Contention  Region  2  Clique  2 


(a)  Topology  (b)  Contention  graph 

Figure  6:  Example  wireless  network,  with  transitory  devices  shown  in  red,  along  with 
corresponding  contention  graph. 

network.  Whenever  new  wireless  devices  intrude  on  an  existing  network,  the  map  changes 
because  of  the  coupling  it  creates.  Since  the  map  is  easy  to  create,  whenever  the  performance 
of  the  links  changes,  we  can  recalculate  the  map  in  order  to  examine  the  network  for  possible 
interference  from  transitory  devices.  These  devices  could  be  other  computers  with  WiFi 
interfaces  or  any  device  that  emits  an  RF  signal  on  the  same  frequency  as  the  managed 
WiFi  network. 

Reconstruction  Without  Transitory  Interference 

Consider  the  wireless  network  as  shown  in  Figure  6a,  but  without  link  4  present.  The 
contention  graph  for  this  network  is  given  in  Figure  6b,  but  without  the  node  4  and  without 
any  of  the  edges  connected  to  node  4.  We  show  how  to  derive  the  exact  DSF  for  this  network, 
assuming  we  know  the  differential  equation  model  for  the  MAC  presented  in  Section  7.1.2. 
This  will  provide  a  “ground  truth”  for  the  network,  which  the  reconstruction  algorithm 
should  match.  For  this  network,  the  equations  describing  the  rates  obtained  by  these  links 
are  given  by: 


V 

U1  — 

b2 

= 

■U--2  —  a?2 

p3_ 

—  023 

*r 

— ar  1 +J01 0-  (fc  1 )  (a;  1  +  ( 1  —  ar i )  ( 1  —  )) 

^2 

= 

X2-h3-2(T(b2)^x2+(l  ar2)(l  !_‘2)(l  i_!a)) 

\_X3_ 

— ar3+^3cr(63)  ^ara+(l— ara)  (l~  i-ia  )) 

Assume  that  a  rate  controller  is  being  used  on  all  the  links  to  give  fair  network 
performance.  The  equilibrium  rates  for  this  network  are  u \  =  0.4,  u2  =  0.4,  and  u3  =  0.4. 
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(a)  Before  intrusion 

Figure  7.  Structure  before  and  after  intrusion. 


(b)  After  intrusion 


We  linearize  the  system  of  equations  in  (10)  around  this  equilibrium  to  get: 
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The  exact  (Q,  P)  for  this  system  is: 


Q  = 


P  = 


0 

29-3 
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A  graphical  representation  of  this  DSF  is  shown  in  Figure  7a. 

In  practical  situations,  it  is  not  possible  to  know  the  system  of  differential  equations  that 
describe  the  wireless  network.  In  this  case,  we  must  use  the  robust  reconstruction  method 
described  in  Section  4.1.3  to  determine  the  boolean  structure  of  the  DSF. 

Step  1:  Perturb  each  link  and  record  the  measurements  of  each  perturbation  experiment. 
The  results  of  these  experiments  are  shown  in  Figure  8. 

Step  2:  Using  the  noisy  data  that  is  collected,  find  the  least  squares  solution,  ak,  for 
all  possible  boolean  structures.  The  results  are  in  Table  1,  along  with  their  associated  AIC 
values. 

Step  3:  Calculate  the  Al  C  values  for  each  boolean  structure  using  the  equation: 


At  Ck  =  24  +  2ln((2nak)  +  1 ) 


(11) 
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(a)  Perturbation  on  Link  1  (b)  Perturbation  on  Link  2  (c)  Perturbation  on  Link  3 

Figure  8:  Perturbation  Experiments  for  Wireless  Network  without  Transitory  Interference 

Table  1:  Reconstruction  Without  Transient  Interference 


Results  of  Reconstruction  1 

Process 

Boolean  Structure 

alpha 

AIC 

~0 

1 

1 

1 

0 

1 

1.22 

14.32 

1 

0 

0 

~0 

1 

0 

1 

0 

1 

0.14 

9.262 

0 

1 

0 

0 

1 

1 

1 

0 

1 

0.09 

10.9 

0 

1 

0 

~0 

1 

0 

1 

0 

1 

0.08 

10.81 

1 

1 

0 

“0 

1 

1 

1 

0 

1 

0 

12 

1 

1 

0 

where  Lk  are  the  number  of  nonzero  elements  in  the  kth  boolean  structure. 

In  Table  1 ,  we  see  that  although  the  correct  structure  (marked  in  red)  does  not  have  the 
lowest  a  score,  by  using  Al  C  we  can  discriminate  against  structures  with  more  non-zero 
elements  to  determine  the  correct  structure. 

Reconstruction  With  Transitory  Interference 

Now  let  us  assume  that  new  network  devices  begin  operating  within  the  contention  region 
of  our  original  network,  creating  link  4  as  shown  in  Figure  6a. 

(b1,b2,b3,b4)  =  ((ul— xl)  (u2-x2)  (u3-x3)  (u4-x4))  (12) 
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The  new  devices  decide  to  set  their  load  to  uA  =  0.2.  This  gives  them  the  equilibrium 
sending  rates  of  x4  =  0.2.  To  keep  the  buffer  from  growing  too  large,  link  2  has  to  recalibrate 
its  sending  rate  to  u2  =  0.2  decreasing  its  rate  to  0.2.  Linearizing  around  the  new  equilibrium, 

I  I 

I  bi  b2  63  b4  xi  x2  x3  x4  =j 
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The  new  DSF,  using  the  inputs  on  nodes  1 , 2,  and  3,  is  given  by 


(a)  Perturbation  on  Link  1  (b)  Perturbation  on  Link  2  (c)  Perturbation  on  Link  3 

Figure  9:  Perturbation  Experiments  for  Wireless  Network  with  Transitory  Interference 


19 

APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED 


0 


42Qe'3 

^(■s) 
26  s 


Qi  = 


100s2+109a+4 


0 


100a2 +1093+4 


429s2 

dm) 


33a^  100s3+273+4^ 


0 


2{d(a» 


and 


27532+lS73+U 

d(#) 


o 


o 


2 


0 


10032+27s+4 

0 


0 


100a2+i093+4 


275>3  — 1ST.-  — 1 1 

d(s) 


where  d{s)  =  2500s4  +  4200s3  +  1646s2  +  287 s  +11. 

Again,  these  dynamical  structure  functions  (Q,  P)  have  been  determined  directly  from 
the  differential  equations.  We  will  now  assume  that  the  differential  equations  that  describe 
the  wireless  network  are  unknown,  and  we  will  use  the  robust  reconstruction  process  from 
Section  4. 1.3  to  determine  the  boolean  structure  of  the  network  while  the  interference  is 
occurring. 

Step  1:  Perturb  each  link  and  record  the  measurements  of  each  perturbation  experiment. 
The  results  of  these  experiments  are  shown  in  Figure  9. 

Step  2:  Using  the  noisy  data  that  is  collected,  find  the  least  squares  solution,  ak,  for 
all  possible  boolean  structures.  The  results  are  in  Table  2,  along  with  their  associated  A I  C 
values. 

Step  3:  Calculate  the  AIC  values  for  each  boolean  structure  using  Equation  (11). 

As  we  can  now  see,  the  correct  structure,  marked  in  red  Table  2,  is  now  the  fully  connected 
network.  A  graphical  representation  of  this  DSF  is  shown  in  Figure  7b.  We  can  see  that  the 
links  1  and  3  were  not  coupled  in  Figure  7a,  but  now  they  appear  coupled.  This  signals  the 
presence  of  interfering  wireless  devices. 

If  the  new  devices  do  not  create  new  links  in  the  DSF,  but  do  change  the  transfer  functions 
contained  in  Q  and  P,  then  the  presence  of  such  an  intruder  is  harder  to  detect. 

4.2  Necessary  and  sufficient  conditions  for  network  reconstruction 

Identifiability  conditions  fundamentally  concern  the  definition  of  a  map  from  model 
parameters  to  data  and  ensuring  that  it  is  injective.  In  this  way,  a  particular  set  of 
parameters  is 
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Table  2:  Reconstruction  With  Transient  Interference 


Results  of  Reconstruction  1 

Process 

Boolean  Structure 

alpha 

AIC 

0 

1 

1 

1 

0 

1 

34.82 

20.79 

1 

0 

0 

0 

1 

0 

1 

0 

1 

2.77 

13.83 

0 

1 

0 

“0 

1 

1 

0 

1 

1.96 

15.18 

0 

1 

0 

“0 

1 

0 

1 

0 

1 

0.81 

13.61 

1 

1 

0 

~0 

1 

1 

1 

0 

1 

0.03 

12.35 

1 

1 

0 

uniquely  specified  by  the  data,  identifying  the  correct  model  from  the  set  of  models  under 
consideration. 

Identifying  a  system’s  DSF  from  data  involves  the  standard  issues  related  to  identifying 
a  TF  from  data  (sufficiency  of  excitation,  etc.),  along  with  additional  issues  related  to  the 
fact  that  many  DSF  generate  the  same  TF  (consider  Lemma  1).  In  the  sequel  we  will 
ignore  the  standard  issues  and  focus  on  the  additional  identifiability  issues  unique  to  DSF. 
Consequently  we  will  assume  that  the  system’s  TF  has  been  successfully  identified  from  data 
and  focus  on  necessary  and  sufficient  conditions  for  then  recovering  the  DSF.  To  accomplish 
this,  we  will  construct  the  map  from  the  elements  of  the  DSF  to  the  associated  TF  and 
establish  conditions  ensuring  this  map  is  injective. 

To  facilitate  the  discussion,  we  introduce  the  following  notation.  Let  A  e  Cnxm  and 
B  e  Ckxl.  Then: 

•  blckdiag(A  B)  is  the  block  diagonal  matrix  given  by 

A  0 
0  B  ’ 


•  a,-  is  the  Ith  column  of  matrix  A, 

•  A-j  is  the  matrix  A  without  it’s  ith 

•  djj  is  the  (i,j)th  entry  of  matrix  A, 

•  A  is  the  conjugate  transpose  of  matrix  A, 

•  R(A)  is  the  range  of  A, 

•  is  the  vector  stack  of  the  columns  of  A  given  by  al... am 
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•  and  a  is  the  vector  stack  of  the  columns  of  A 

We  begin  by  rearranging  the  fundamental  DSF  relationship,  G  =  (/  -  Q)-1P  to  yield: 


[I  G'} 


(13) 


Noting  that 

AX  =  B  <=>  blckdiag(A,  ...,A)x  =  b 

I  i  J 

and  defining  X  =  P:  Q‘  then  allows  us  to  rewrite  Equation  (13)  as 

/  blckdiag(G, G)  <7  =  ^g.  (14) 

Further  noting  that  since  the  diagonal  elements  of  Q  are  identically  zero  and  the  dimensions 
of  P,  Q,  and  G  are  p  x  m,  p  x  p,  and  pxm  respectively,  then  exactly  p  elements  of  V 
are  always  zero.  Abusing  notation,  we  can  then  redefine  X*  to  remove  these  zero  elements, 
reducing  Equation  (14)  to  the  following: 

/  blckdiag(Gt_1,  GL2, ...,  GLp)  <x=<g.  (15) 

Equation  (15)  reveals  the  mapping  from  elements  of  the  DSF,  contained  in  x",  to  its 
associated  TF,  represented  by  g  .  The  mapping  is  clearly  a  linear  transformation  repre¬ 
sented  by  the  matrix  operator  /  blckdiag(Gf  _v  Gf_2, Gf_p)  .  This  matrix  has  dimen¬ 
sions  (pm)  x  (pm  +  p2  -  p),  and  thus  the  transformation  is  certainly  not  injective.  This  is 
why  not  even  the  Boolean  structure  of  a  system’s  DSF  can  be  identified  -  even  from  perfect 
information  about  the  system’s  TF  -  without  additional  a  priori  structural  information. 
Identifiability  conditions  will  thus  be  established  by  determining  which  elements  of  IT 

must  be  known  a  priori  in  order  to  reduce  the  corresponding  transformation  to  an  injective 
map.  To  accomplish  this,  consider  the  (pm  +  p2  -  p)  x  k  transformation  T  such  that 

IT  =  Tz  (16) 

where  z  is  an  arbitrary  vector  of  size  k.  The  following  lemma  describes  technical  conditions 
on  T  establishing  necessary  and  sufficient  identifiability  conditions  for  DSF  reconstruction. 


Lemma  1.  Let 

M  =  LT,  (17) 

where  L  =  [  I  blckdiag(G'_1?  G'_2, ...,  G'_p)  ]  and  T  is  a  (pm  +  p2  —  p)  x  k  matrix  operator 
as  in  Equation  ( 1 6).  Then  M  is  injective  if  and  only  if 
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1.  k  <  pm,  and 

2.  rank(T)  =  k  (i.e.  T  is  injective). 

Proof.  Since  /  blckdiag(Gt_1,  GL2,  ■■■,  GLp)  has  rank  pm,  rank(M)  =  min(pm,  rank(T)). 

If  rank(T)  >  pm,  implying  k  >  pm,  then  M  is  clearly  not  injective.  If  rank(T)  <  pm,  then 
rank (M)  =  rank (T)  and  M  will  be  injective  if  and  only  if  k  =  rank (T).  □ 

Theorem  1.  (Identifiability  Conditions)  Given  a  system  characterized  by  the  transfer  func¬ 
tion  G,  its  DSF  (Q,  P)  can  be  identified  if  and  only  if 

1.  M,  defined  as  in  Equation  (17),  is  injective,  and 

2.  $  e  R(M  ). 

Proof.  The  proof  follows  immediately  from  the  observation  that  M  is  the  mapping  from 
unidentified  model  parameters  to  the  system  TF.  Under  these  conditions  one  can  clearly 
solve  for  z  given  G  and  then  construct  the  DSF  from  x",  where  X-  =  Tz,  and  T  is  precisely 
the  a  priori  system  information  that  is  necessary  and  sufficient  for  reconstruction.  □ 

We  will  now  illustrate  this  reconstruction  result  on  some  simple  examples. 

Example  2.  Consider  a  system  with  square  TF  given  by 
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Previous  work  has  shown  that  if  G  is  full  rank  and  it  is  known,  a  priori,  that  the  control 
structure  P  is  diagonal  that  reconstruction  is  possible.  Here  we  validate  that  claim  by 
demonstrating  that  the  associated  T  matrix  becomes: 
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where  e,  is  a  zero  vector  with  1  in  the  Ith  position.  Note  that  M  is  a  square  matrix  with 
dimensions  p2  x  p2  and  will  be  invertible  provided  G  is  full  rank,  thus  enabling  reconstruction. 

Example  3.  Given  the  following  TF  of  a  system: 


G  = 


s~~|~2 
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We  attempt  to  find  the  DSF  (Q,  P)  of  the  system: 
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yielding  the  vector  of  unknowns  x  =  P^^ 
system  of  equations  of  the  form  Lx  =  b: 


Pi  2  P21  P22  Q12  Q21  ■ 


This  gives  us  the 


1  0 
0  1 
0  0 
0  0 


0  0 
0  0 
1  0 
0  1 


s+2 

(s+l)(s2  -|-3s+l) 

S2+S  — 1 

(s+l)(s"J+3s+l) 

0 

0 


0 

0 

s+2 

s2+3s+  1 
_ s  4-  3-5  +  3 _ 

(s+2)(s-  +3s+l) 


Pn 

P12 

P21 

P22 

Ql2 

Qll 


5+2 

s  ■“ + 3  s  + 1 
s  +3s+3 
(s+2)(s“+35+1) 

■!  s-l-2 

(s+1  )(s2+3s+l) 
s2+s— 1 

IL  (s+l  )(s’2 +3s+l)  _ 


Without  additional  information  a  priori  structural  information,  we  can  not  reconstruct.  Sup¬ 
pose,  however,  that  we  know  a  priori  that  P  takes  the  form: 

p  _  P11  — Pi  1 
0  P22 
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Note  that  this  non-diagonal  P  fails  to  meet  the  previous  conditions  for  reconstruction  [6]. 
Nevertheless,  the  vector  of  unknowns  x  can  then  be  decomposed  into  the  form  Tz  as  follows: 
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Replacing  x  with  Tz  above  yields  the  system  of  equations  of  the  form  Mz  =  b.  where  M  =  LT : 
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In  this  case  M  is  full  rank,  from  theorem  1  we  know  that  the  system  is  reconstructible.  By 
solving  for  x  =  (M  )_1  b  we  get  the  DSF  to  be: 


'  0 
i 

1  "I 

r  1 

1  1 

Q  = 

5+2 

0 

and  P  = 

s-\-l 

0 

1+1 

-5+1 

s+2  J 

4.3  Vulnerability  of  open-  and  closed-loop  systems 

4.3.1  Attack  Models 

In  the  literature,  attacks  on  control  systems  have  been  classified  into  two  types:  denial 
of  service  attacks,  when  the  attacker  jams  a  channel  in  order  to  destabilize  the  system, 
and  deception  attacks,  when  the  attack  adds  perturbations  on  particular  links  in  order  to 
compromises  the  reliability  of  the  controller’s  state  estimates  [11].  We  consider  a  hybrid 
attack  model  where  the  attacker  adds  perturbations  to  the  channels,  not  just  jam  them,  in 
order  to  destabilize  the  system.  We  call  this  type  of  attack  a  destabilizing  attack. 

Denial  of  Service  (DoS)  Attack  Denial  of  service  attacks  prevent  signals  from  reaching 
their  intended  destination.  This  is  probably  the  easiest  and  most  common  attack,  and  it  is 
modeled  as  removal  of  an  edge  in  an  interconnected  structure.  It  might  be  done  by  jam¬ 
ming  the  communication  channel,  disrupting  the  transmitter/receiver,  changing  the  routing 
protocol,  saturating  the  receiver  with  extraneous  signals,  etc.  The  attacker’s  intent  of  such 
an  attack  could  be  to  degrade  the  system  performance  or  to  completely  destabilize  it.  [10] 
shows  that  performance  of  networked  control  systems  could  decrease  significantly  under  a 
DoS  attack.  [11]  gives  a  method  to  find  an  optimal  controller  that  minimizes  the  effect  of 
such  an  attack  on  linear  control  systems. 

In  [12],  the  authors  study  whether  a  DoS  attack  on  certain  links  can  make  the  system 
unreachable  or  uncontrollable.  They  also  develop  graph  theoretic  algorithms  to  identify  the 
minimal  number  of  edges  which  are  necessary  for  preserving  controllability  and  observability. 
Deception  Attack  The  goal  of  a  deception  attack  is  to  change  the  state  estimates  computed 
by  a  model-based  controller.  This  type  of  attack  is  modeled  as  a  stable  additive  perturbation 
to  an  edge  in  the  network.  All  stabilizing  controllers  make  the  closed  loop  system  stable, 
hence,  a  stabilizing  controller  is  necessarily  stabilizable  from  the  plant.  So,  if  at  attacker  gains 
access  to  the  communication  channel  between  the  plant  and  the  controller,  state  estimates  of 
a  model-based  controller  can  be  altered.  To  prevent  this,  many  real  systems  such  as  power 
systems,  sensor  networks,  etc.,  are  equipped  with  a  Bad  Data  Detector  (BDD)  [13,  8, 14].  A 
BDD,  using  the  model  of  the  plant,  detects  deviation  of  the  state  estimates  from  the  expected 
and  raises  an  alarm  to  notify  the  human  operator.  Because  of  the  presence  of  measurement 
noise,  this  deviation  is  never  zero,  so  the  BDD  ignores  deviations  that  are  smaller  than  a 
specified  threshold.  Hence,  in  the  presence  of  BDDs,  the  attack  has  to  change  the  state 
estimates  without  increasing  the  chance  of  raising  an  alarm. 
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In  [13]  the  authors  study  this  kind  of  attack  in  the  context  of  a  power  system.  They 
show  that  it  is  in  fact  possible  for  an  attacker  to  change  the  state  estimates  to  a  specific 
value  without  increasing  the  chance  of  being  detected.  [14]  studies  a  similar  problem  in  the 
scenario  of  a  wireless  sensor  networks.  It  maps  an  approximation  of  the  set  of  all  possible 
values  the  attacker  could  drive  the  estimates  to. 

[8]  studies  a  slightly  different  problem.  Here,  the  goal  of  the  attacker  is  to  change  the 
estimate  of  one  of  the  states  without  increasing  the  chance  of  being  detected.  The  authors 
recognize  that  while  doing  this  the  attacker  might  want  to  use  the  fewest  channels  possible 
or  might  try  to  keep  the  magnitude  of  the  attack  signal  small.  For  each  type  of  attack,  the 
authors  then  give  a  formulation  of  a  security  index  of  the  system. 

Destabilizing  Attack  Like  deception  attacks,  these  attacks  effectively  arise  as  an  additive 
perturbation  on  a  link  in  the  system  interconnection  structure.  Unlike  deception  attacks, 
however,  they  seek  to  destabilize  the  system  rather  than  simply  move  the  system  state  to 
a  desired  value  without  being  detected.  BDDs  are  clearly  capable  of  detecting  the 
destabilization  resulting  from  such  attacks,  nevertheless  serious  damage  and  even 
complete  plant  shut-down  may  result  by  the  time  system  operators  are  able  to  do  anything 
about  it. 

A  rich  literature  in  systems  and  control  theory  explores  the  destabilization  of  systems  due 
to  additive  perturbations,  see  for  example  [4]  and  the  references  therein.  Security  analysis  of 
destabilizing  attacks  thus  appears  to  be  a  robustness  problem  with  respect  to  certain  classes 
of  perturbations.  Indeed,  we  adopt  this  point  of  view,  and  consider  security  problems  to  be 
essentially  robustness  problems  of  various  types. 

The  contribution  of  this  work,  then,  applied  to  this  class  of  attacks,  is  in  the  solution 
of  a  certain  class  of  robustness  problems  over  a  particular  kind  of  link  model-corresponding 
to  logical,  rather  than  the  physical,  links  of  a  system-and  with  respect  to  a  specific  class 
of  perturbations.  Unlike  standard  robustness  measures  that  generally  consider  destabilizing 
perturbations  acting  overall  channels  and  nodes  of  a  system,  here  we  restrict  our  attention 
specifically  to  perturbations  that  disrupt  a  single  link  in  the  system’s  signal  structure.  Our 
analysis  then  considers  such  single-link  perturbations  overall  possible  system  links.  In  the 
next  section  we  explore  our  link  model  in  detail. 

4.3.2  Link  Models 

The  destabilizing  attacks  considered  here  are  additive  perturbations  acting  on  a  single  link  in 
a  system’s  logical  interconnection  structure.  There  are  many  characterizations  of  a  system’s 
structure,  see  for  example  [15,  16].  One  characterization  would  consider  the  interconnection 
structure  among  subsystems.  This  definition  of  structure,  also  called  the  system’s  subsystem 
structure,  would  represent  the  physical  interconnection  between  physical  components  of  a 
particular  networked  system.  Under  this  notion  of  structure,  a  link  would  represent  the  signal 
passing  between  two  subsystem  nodes  within  the  subsystem  interconnection  architecture. 
In  contrast  to  the  subsystem  structure,  this  work  considers  another  definition  of  system 
structure  and,  consequently,  a  different  notion  of  a  system  link. 

In  this  work,  we  consider  a  partition  on  signals  of  the  system  into  two  categories:  exposed 
signals  and  hidden  signals.  The  logical  interconnection  structure,  or  architecture-also  called 
the  system’s  signal  structure-is  the  causal  relationship  between  exposed  signals  in  the  system. 
In  this  definition  of  structure,  a  link  is  a  system  describing  the  causal  dependency  between 
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two  exposed  signal  nodes  of  the  logical  interconnection  architecture. 

Some  important  consequences  of  this  definition  of  link  include  the  fact  that  a  link  may 
represent  a  very  indirect  and  complicated  pathway-through  various  hidden  signals  that  may 
be  components  of  other  links  in  the  system.  Thus  a  link  is  associated  with  a  particular 
set  of  dynamics-a  system-that  characterizes  how  the  input  signal  is  transformed  into  the 
output  signal.  The  fact  that  hidden  signals  may  be  shared  between  links,  however,  is  an 
important  distinction  between  signal  and  subsystem  interconnection  structures.  Note  that 
a  state  of  one  subsystem,  interconnected  with  others  in  a  subsystem  architecture  (such 
as  a  standard  feedback  interconnection  between  two  blocks),  is  never  shared  with  other 
subsystems;  the  subsystem  architecture  effectively  partitions  the  states  of  the  networked 
system.  In  contrast,  states  on  the  links  of  the  signal  structure  may,  in  fact,  be  shared  with 
those  of  other  links.  This  degree  of  abstraction  is  important  for  security  problems  because 
an  additive  perturbation  on  a  link  of  the  signal  structure  does  not  represent  the  corruption 
of  a  particular  channel,  as  it  would  in  the  subsystem  structure,  but  rather  the  idea  that  an 
attacker  infiltrated  a  particular  dependency  between  specific  manifest  variables. 

The  next  section  provides  some  background  on  Dynamical  Structure  Functions  (DSF), 
which  are  used  to  represent  the  signal  structure  of  a  system.  The  DSF  is  a  system 
representation  that  describes  more  structure,  in  the  logical  interconnection  sense,  than  the 
transfer  function  provides,  but  less  than  the  state  space  realization  would  reveal. 
Specifically,  the  DSF  describes  exactly  the  causal  dependencies  between  manifest  variables 
without  offering  any  indication  of  the  structure  relating  hidden  variables.  As  a  result, 
although  every  state  space  realization  specifies  a  unique  DSF,  and  every  DSF  specifies  a 
unique  transfer  function,  there  are  many  DSF  architectures  consistent  with  any  specific 
transfer  function,  and  many  state  space  realizations  consistent  with  any  specific  DSF. 

4.3.3  Background:  Dynamical  Structure  Function 

Before  developing  the  main  theorem,  we  will  present  a  concise  derivation  of  the  dynamical 
structure  function,  and  explain  its  relevance  to  the  security  of  a  networked  system.  For  a 
complete  derivation  and  results  on  different  representations  of  structure  see  [16,  9,  6]. 

Let  us  consider  a  state-space  LTI  system 
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where  Ci  C2  has  full  row  rank.  This  system  can  be  transformed  to: 
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Here  y  are  the  states  that  are  measured,  and  x  are  the  hidden  states.  Now,  taking  Laplace 
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Transforms  of  the  signals  in  (19),  we  get 

sVl  \Au  Al2\  \Y 
\  ^x\  [a21  a22\  [x 

Solving  for  X  in  the  second  equation  of  (20)  gives 

X  =  (si  -  y422)-1/\2i  Y  +  (si  -  A22)~:B2U 

Substituting  into  the  first  equation  of  (20)  we  get, 

sY  =  WY+VU, 

where  W  =  A-,-,  +A12(sl  -A22)_1/421  and  V  =  A12(s/  -A22)_1B2  +B-|.  Let  D  be  a  diagonal 
matrix  with  the  diagonal  entries  of  W.  Then, 

(si  -D)Y  =  (W  -  D)Y  +  VU. 

Now  we  can  rewrite  this  equation  as, 

Y  =  QY  +  PU,  (21) 

where 

Q  =  (sl  -D)~\W  -  D ) 
and 

P  =  (si  -  D)-1  V. 

The  matrix  Q  is  a  matrix  of  transfer  functions  from  Y,-  to  V) ,  /  /=  j,  or  relating  each 
measuredsignal  to  the  other  measured  signals.  Note  that  Q  is  zero  on  the  diagonal  and 
either  zero  or  a  strictly  proper  transfer  function  on  the  off  diagonal.  The  matrix  P  is  a 
matrix  of  zeros  or  strictly  proper  transfer  functions  from  each  input  to  each  output  without 
depending  on  any  additional  measured  states.  Together,  the  pair  (Q(s),  P(s))  is  called  the 

dynamical  structure  function  for  system  (18). 

The  transfer  function  matrix  for  this  system  is  given  by 

G  =  (/  -  Q)_1P  =  C(sl  -  A)~'B. 

Hence,  Gy  is  the  closed  loop  transfer  function  from  input  j  to  state  /.  In  this  paper,  we  will 
also  refer  to  the  closed  loop  transfer  function  between  states.  A  transfer  function  from  state 
j  to  state  /  is  represented  by  Hy,  where 

H  =  (/-Q)"1. 

Note  that  the  transferfunction  from  a  state  to  an  input  is  always  zero. 

Definition  1.  Given  a  system  18  with  signal  structure  characterized  by  the  dynamical 
structure  function  (P,Q),  a  link  (i,  j)  of  the  system  corresponds  to  any  nonzero  entry  in 
P  or  Q. 

Note  that  P  gives  the  links  from  the  inputs  to  the  measured  states,  and  Q  gives  the  links 
that  represent  the  dependencies  between  the  measured  states.  The  next  section  will  introduce 
the  notion  of  vulnerability  and  characterize  vulnerable  links  in  the  system’s  architecture 
characterized  by  (P,  Q). 
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4.3.4  Vulnerable  Links 

In  this  work,  vulnerability  refers  to  the  destabilization  of  a  system  resulting  from  the 
corruption  of  a  single  link  in  its  signal  architecture.  We  begin  with  a  definition  of  a 
vulnerable  link. 

Definition  2.  Given  a  system  18  with  signal  structure  characterized  by  the  dynamical 
structure  function  (P,Q),  a  link  in  (P,Q)  is  called  vulnerable  if  there  exists  a  stable 
perturbation  on  the  link  that  makes  the  system  unstable. 

Example  4.  Let  us  consider  a  system  with 


r_L  o  1 

0  — 1 

p= 

s+2 

,  and,  Q  = 

s+2 

This  system  is  stable  because  the  transfer  function, 

s  +  2  1  1 

1  s  +  2\ 


G  = 


s2  +  4s  +  3 


Now  let  us  add  a  perturbation  A  =  —^-2  to  the  link  Q12  as  shown  in  Figure  10.  The  resulting 
transfer  function  is  G 

which  is  unstable.  Hence  the  link  Q12  is  a  vulnerable  link.  Similarly,  it  can  be  shown  that 
Q2 i  is  vulnerable,  although  neither  P-n  nor  P22  are  vulnerable. 


s  +  2 


-  +  A 


/  S'  'X.  J_ 

s  +  2 


! 

s  +  2 


Figure  10:  The  system  with  the  perturbation  A.  Black  arrows  indicate  secure  links,  while 
blue  arrows  indicate  vulnerable  links. 


Condition  for  Vulnerability  Given  that  an  attacker  has  the  knowledge  of  the 
dynamical  structure  function  representation  of  a  system,  we  will  derive  a  necessary  and 
sufficient  condition  for  a  link  to  be  vulnerable. 


Theorem  2.  Let  us  consider  a  stable  system  {P,  Q).  There  exists  a  stable  additive 
perturbation  A  on  a  link  from  node  i  to  node  j,  either  in  P  or  Q,  that  makes  the  system 
unstable  if  and  only  if  the  closed  loop  transfer  function  from  node  j  to  i  is  nonzero. 
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Figure  12:  Necessary  and  sufficient  condition  for  stability  of  the  system  in  Figure  1 1 


Proof.  The  system  with  the  perturbation  A  can  be  represented  as  the  linear  fractional  trans¬ 
formation  in  Figure  11,  where  T  is  the  associated  closed  loop  transfer  function,  and  wy,  Wj 
represent  the  signals  at  node  /  and  j  respectively.  This  system  is  stable  if  and  only  if  the 
system  in  Figure  12  is  stable  (see  [4]).  If  T/j  =  0,  any  stable  A  does  not  affect  the  stability 
of  the  system  in  Figure  12.  Thus  the  closed  loop  system  in  Figure  1 1  is  stable  for  all  A. 

If  T/j  /=  0,  then  the  system  in  Figure  12  is  unstable  if  any  of  the  transfer  functions  of 

dj  wj 

is  unstable.  We  have, 

d,-  w> 


1  T  A  A  dj 


Wj  1  -  Tij  A 


For  a  polynomial  to  be  stable  it  is  necessary  that  all  its  coefficients  are  of  the  same  sign. 
In  the  case  of  the  polynomial 

R(s)  =  D5d  -  N5n,  (23) 

it  is  easy  to  see  that  a  properly  designed  A  can  zero  out  at  least  one  of  the  terms.  Thus, 
there  exists  a  A  that  destabilizes  these  transferfunctions.  Note  that  when  we  are  □ 

considering  the  vulnerability  of  the  links  in  Q,T  =  H  =  gives  the  closed  loop 

transfer  functions.  Now,  we  will  present  some  implications  of  this  result. 

Corollary  1.  None  of  the  links  in  P  are  vulnerable. 


Proof.  This  is  true  because  the  transfer  function  from  the  states  to  the  input  is  always 
zero.  □ 
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Corollary  2.  If  T,j  is  nonzero,  there  exists  a  perturbation  Ae  R  that  destabilizes  the  system 
in  Figure  12. 

Proof.  Let  A  e  R,  /,y  =  ~L.  Thus,  -a  =  — z,  and  the  polynomial  in  (23)  becomes 

D/  5d  D / 

D/D  -  A/(D/A  +  A//).  We  can  see  that  at  least  one  of  the  terms  in  this  polynomial  can  be 
zeroed  out  by  choosing  appropriate  A,  making  the  polynomial  unstable.  □ 

Corollary  3.  Let  us  consider  a  stable  system, 

x  =  Ax  +  /u,  (24) 

y  =  lx, 

where  A  e  Rnxn  and  let  G  =  (si  -  A)-1.  There  exists  a  perturbation  K  =  Ae,eT.,A  e  R, 
such  that  (A  +  K))  is  not  Hurwitz,  if  and  only  if  the  transfer  funtion  from  input  Uj  to 

output  yj,  Gjj,  is  nonzero. 

Proof.  If  the  perturbation  is  on  the  diagonal  entry  of  A,  then  it  is  easy  to  see  that  a 
destabilizing  perturbation  always  exists  and  Gn  is  neverzero.  Let  D  =  diag(Au,  A22, 
Ann)- 

The  dynamical  structure  function  of  the  system  is  given  by  P  =  (si  -  D)-1  and  Q  = 

(si  -  D)~\A  -  D ).  Any  perturbation  K  =  A e,eT,  //=  j  effects  only  the  link  Qu.  Hence, 

the  perturbation  can  make  the  system  unstable  if  and  only  if  the  transfer  function  is 
nonzero.  Also,  the  diagonal  entries  of  P  are  nonzero,  and  G  =  HP.  Thus,  the  transfer 
function  Hu  is  nonzero  if  and  only  if  Gy,  is  nonzero. 

□ 

Example  5.  Let  us  consider  a  system  of  the  form  (24)  with 

|  -1  0  -4  3 1 

A=  \2  -2  0  0  | 

1 3  0-2-4| 

1 0  3  -2  -5 1 

Here  the  eigenvalue  of  A  are  o  =  ■('-1.5000  + 3.4278_/,  -1.5000 -3.4278_/'  -6.7016,  -0.2984}. 
Hence,  the  system  is  stable.  In  this  system,  the  link  from  X4  to  xi  is  not  vulnerable  because 
G4-1  =  0.  Notice  that  this  example  is  not  a  trivial  example,  like  a  diagonal  or  a  triangular 
system,  since  there  are  cycles  that  contain  both  nodes  x-i  and  x4. 

Corollary  4.  Let  A  e  Rnxn.  A  perturbation  on  the  (i,j)th  entry  of  A  changes  its  eigenvalues 
if  and  only  if  the  Gjj  /=  0,  where  G  =  (si  -  A)-1  is  the  transfer  function  matrix  i.e.  the 
(i,j)  minor  of  (si  -  A)  is  nonzero. 

Proof.  Take  the  system  from  Corollary  3.  We  can  see  that  a  perturbation  on  the  (/,  j)th 
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entry  has  no  effect  on  the  system  if  G,y  =  0.  Also,  if  Gy,  /=  0,  the  perturbation  forms  a 
closed  loop  system,  such  as  the  one  given  in  Figure  12,  in  which  case  A  definitely  changes 
the  poles  of  the  system.  □ 

If  we  take  the  A  matrix  from  Example  5,  note  that  its  eigenvalues  stay  unchanged  for 
any  perturbation  on  the  (1, 4)th  entry. 
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Structure  and  Vulnerability  To  perform  the  vulnerability  analysis  of  a  system,  we  assume 
that  the  attacker  can  only  modify  existing  links  and  cannot  create  new  links.  With  this 
assumption,  we  can  see  that  systems  where  the  output  nodes  do  not  form  a  cycle  are  always 
secure,  because  in  such  a  case  the  nodes  can  be  permuted  to  obtain  a  triangular  Q  matrix. 
A  triangular  Q  matrix  gives  a  triangular  H,  and  by  applying  Theorem  2  we  can  see  that 
all  the  existing  links  are  secure.  Note  that  secure  links  doesn’t  always  mean  they  are  from 
a  triangular  system.  For  example,  the  link  Q14  is  secure  in  the  system  given  in  Figure  13, 
which  is  the  signal  structure  architecture  of  the  state-space  system  in  Example  5. 
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Figure  13:  A  system  with  a  secure  link  in  a  cycle.  Black  arrows  represent  the  secure  links. 


Noting  that  certain  graphical  structures  result  in  secure  links  begs  the  question  of  whether 
there  are  particular  dynamics  that  contribute  to  secure  or  vulnerable  links  in  the  system’s 
architecture.  The  following  theorem  answers  this  question. 

Theorem  3.  Every  transfer  function  G  has  a  completely  secure  architecture  ( P ,  Q). 


Proof.  For  any  transfer  function  G,  note  that  (P  =  G,  Q  =  0)  is  an  admissible  Dynamical 
Structure  Function  since  G  =  (/  -  0)-1G.  From  Corollary  1,  we  see  that  none  of  the  links 
in  P  are  vulnerable,  and  since  Q  has  no  links,  the  system  is  secure. 

This  result  shows  that  the  vulnerability  of  a  system  is  structure  dependent  and  not 
a  function  of  the  system  dynamics.  This  fact  highlights  one  difference  between  the 
vulnerability,  which  depends  on  the  system  structure  and  not  the  dynamics,  and  the 
robustness,  which  depends  on  the  dynamics  and  not  the  system  structure. 

Measure  of  Vulnerability 

Feedback  is  very  common  in  both  natural  and  engineered  systems.  Nevertheless,  such 
structures  usually  generate  vulnerable  links.  Thus,  a  measure  of  vulnerability  is  essential  to 
understand  the  security  of  the  system. 

Given  a  signal  architecture  (P,  Q)  with  associated  closed  loop  transfer  function  T,  the 
vulnerability  of  link  (/,_/)  is  given  by 

Y/i  —  l|7"//lloo,  (25) 


which  is  the  inverse  of  the  smallest  perturbation  required  on  link  (/,_/)  to  destabilize  the 
system.  Since  all  the  links  in  P  are  secure,  we  only  consider  the  links  in  Q  while  computing 
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the  vulnerability,  hence,  T  =  H.  The  vulnerability  of  the  system  is  given  by 


(26) 

(27) 


V  =  max  Vji 

VJ)eQ 

=  max 

(/',/')£  Q 


//I 


This  measure  allows  us  to  associate  a  size  of  the  smallest  destabilizing  perturbation  with 
every  link  in  the  system  architecture.  Secure  links  thus  have  a  vulnerability  of  0.  Note  that 
V ,  the  system  vulnerability,  is  less  than  or  equal  to  the  inverse  of  the  size  of  the  smallest 
destabilizing  perturbation  for  the  system,  since  link  perturbations  are  restricted  to  act  on  a 
single  link  only. 

4.3.5  Numerical  Example 

Let  us  consider  a  system  with  the  architecture  given  in  Figure  14  where, 


itf  0  0 

p  =  □  o  -4-  o 

r  s+1 

0  0^ 
s+1 


and 


0 

0 


0 

Q  =  u_L 
s+2 
0  -L- 

s+3 


_ 1_ 

s+1 


0 

0 


The  transfer  function  matrix  for  the  system  is  given  by 


s-+6s-  +11s+6  s+2 

d(s)  d(s) 

2  3  2 

=  s  +4s+3  s  +6s  +1 1  s+6 
d(s)  d(s) 

s+1  +3s+2 

d(s)  d(s) 


s-+5s+6 

d(s) 

s+3  l- 
d(s)  s3+6s2  7 

+11  s+6  d(s) 


where  d(s)  =  s4  +  7s3  +  17s2  +  16s  +  5.  By  small  gain  theorem,  the  size  of  the  smallest 
destabilizing  perturbation  is  ||G||_'1"=  0.42  could  destabilize  the  system. 


Let  /-/=(/  —  Q)-1  represent  the  transfer  function  between  the  measured  states  y,-.  Since 
the  links  in  P  are  not  vulnerable,  we  consider  the  perturbations  on  the  links  in  Q  which  are 
the  links  (71,72),  (72.73).  and  (73, 71).  To  compute  the  vulnerability  of  these  links  we  need 
the  following  transfer  functions: 


H-\2  — 

H23  = 
H31  = 


s+2 

s3  +  6s2+  11s +  5 
s+3 

s3  +  6s2+  11s +  5 
s  +  1 

s3  +  6s2+  11s +  5' 


For  this  system  v2i  =  0.4,  v32  =  0.6,  and  v13  =  0.2.  Hence,  V  =  v23  =  0.6  <  ||G||oo,  and  the 


smallest  perturbation  on  a  single  link  that  can  destabilize  this  system  must  have  a  gain  of 
^=^.67. 
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Figure  14:  Vulnerable  and  secure  architectures  for  the  same  transfer  function.  Black  links 
are  secure,  vulnerable  links  are  colored  blue,  yellow,  and  red  in  the  increasing  order  of  their 
vulnerability. 

This  system  can  also  be  implemented  as  shown  in  Figure  14b,  where  P=  G.  This  is 
one  of  the  secure  implementations  of  the  system  in  Figure  14a.  From  this  example  we  thus 
observe  the  following: 

•  The  same  transferfunction  can  exhibit  both  vulnerable  and  secure  architectures, 

•  System  robustness,  characterized  by  the  size  of  the  smallest  destabilizing  perturbation 

(0.42  in  this  example),  is  not  equivalent  to  the  inverse  of  the  system  vulnerability, 
characterized  by  the  size  of  the  smallest  destabilizing  perturbation  on  a  single  link 
(about  1.67  in  this  example), 

•  Only  links  in  Q  can  be  vulnerable. 

4.4  Design  of  stabilizing  distributed  controllers  with  arbitrary 
signal  structure  constraints 

In  this  section,  we  present  a  procedure  to  design  a  controller  (Q,  P)  with  a  structure  given 
by  (Qbin,  Pbin)  to  stabilize  a  plant  with  the  transfer  function  matrix  G.  It  is  an  iterative 
procedure;  we  add  the  controller  links  to  the  plant  such  that  the  additional  link  attempts  to 
stabilize  the  plant  as  well  as  all  the  previously  added  controller  links.  The  procedure  is  as 
follows: 

Procedure  P 

1 .  Choose  an  undesigned  link  p/j  such  that  pbf  =  1 

2.  Design  p,y  to  stabilize  gy7  such  that  there  is  no  pole  zero  cancellation  in  PG.  That  is, 
the  controller  link  is  designed  such  that  it  stabilizes  the  transferfunction  it  sees,  and  there 
is  no  pole-zero  cancellation 


36 

APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED 


3.  After  adding  p/j,  if  the  closed  loop  system  (G,  P)  is  still  unstable,  repeatfor  all  pxy, 
fybin=  1,  so  that  the  added  link  attempts  to  stabilize  the  plant  as  well  as  all  the 
previously  added  controller  links. 

4.  If  the  closed  loop  system  S,  formed  by  adding  P  in  feedback  with  G,  is  still  unstable, 
add  links  in  Qbin  such  that  there  is  no  pole-zero  cancellation  between  Q  and  S.  Again, 
each  added  link  attempts  to  stabilize  the  plant  G  along  with  the  previously  added  links 
of  P  and  Q. 

Theorem  4.  Given  a  transfer  function  matrix,  G,  and  a  desired  signal  structure  for  a  feed¬ 
back  controller  characterized  by  (Qbin,  P  bin),  Procedure  P  either  delivers  a  stabilizing 
controller  with  the  desired  structure  or  no  such  controller  exists. 


This  theorem  says  that  if  the  controller  obtained  using  this  procedure  does  not  stabilize 
the  plant,  then  there  is  no  controller  of  the  given  structure  that  can  stabilize  it.  Hence,  this 
procedure  provides  a  test  for  the  existence  of  a  structured  stabilizing  controller,  and  if  such 
a  controller  exists,  it  synthesizes  a  nominal  stabilizing  controller  that  meets  the  structural 
constraint.  Before  proving  this  theorem,  we  will  prove  some  lemmata. 

Lemma  2.  Let  K  be  the  controller  transfer  function.  A  link  k/j  cannot  affect  a  mode  of  the 
plant  G  that  is  not  observable  or  controllable  from  this  link. 


Proof.  Let, 


G  = 


‘  A 

B  1 

C 

&  J 

and  ktJ 


Bk 

0 

Since  we  are  only  adding  one  link,  both  of  these  systems  are  SISO.  Using  the  Kalman 
decomposition  on  G,  we  can  transform  it  such  that 
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4XO 

0  " 

Bco 

Acx 

4.Cd 

4xx 
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Bco 
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0 
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0 
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C  =  [C«,  0  Ccg  0]  ,  and  D  =  d. 


Here,  the  eigenvalues  of  ACo,  Ac0,  and  A ^  are  the  modes  of  G  that  are  unobservable, 
uncontrollable,  and  both  respectively  from  feedback  link  k/j. 

The  closed  loop  modes  are  given  by  the  eigenvalues  of  the  following  matrix: 
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Transforming  this  matrix  using  the  permutation 
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we  get, 
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We  can  see  that  AdT  is  block  triangular,  and  the  uncontrollable  or  unobservable  modes, 
namely  the  eigenvalues  of  Ado,  ACo,  and  A are  not  affected  by  the  choices  of  Ak,Bk,  or 
Ck.  □ 

This  result  shows  that  when  a  controller  link  is  added  to  the  system  such  that  it  stabilizes 
all  the  modes  that  it  can  control  and  observe,  it  cannot  destabilize  other  modes  of  the  system 
that  are  already  stable.  Now,  the  following  lemma  gives  a  necessary  and  sufficient  condition 
for  the  existence  of  the  controller  with  transfer  function  structure  Kbin. 

Lemma  3.  There  exists  a  controller  with  pattern  Kbm  that  stabilizes  a  plant  G  if  and  only  if 
every  unstable  mode  of  G  is  controllable  and  observable  from  at  least  one  link  k/j,  kbjy  =  1 . 

Proof.  From  Lemma  2,  we  know  that  a  link  in  the  feedback  controller  cannot  affect  the 
uncontrollable  or  unobservable  modes.  Hence,  any  controller  that  stabilizes  a  given  G  must 
have  links  such  that  all  the  unstable  modes  are  both  controllable  and  observable  from  at 
least  one  of  the  controller  link.  Also,  if  every  unstable  mode  is  controllable  and  observable 
from  some  controller  links,  these  links  can  stabilize  the  plant.  □ 

lemmata  2  and  3  allow  us  to  add  links  in  P,  since  adding  a  link  in  P  cannot  change 
the  controllability/observability  of  the  plant  for  the  other  links  in  P.  However,  adding  these 
links  might  cause  the  links  in  Q  to  lose  controllability  or  observability  of  some  of  the  modes, 
because  links  in  Q  are  added  on  top  of  the  links  in  P.  Also,  the  links  in  Q  themselves  can 
create  controllability/observability  issues  for  subsequent  links  in  Q. 

Loss  of  observability/controllability  can  happen  for  two  reasons:  structurally  or  by  ex¬ 
act  cancellations.  If  it  happens  because  of  structural  reasons,  the  system  stays  uncontrol¬ 
lable/unobservable  for  any  choice  of  P  or  Q  as  long  as  it  has  the  same  structure.  However, 
if  the  problem  occurs  because  of  exact  cancellations,  we  can  avoid  these  issues  by  a  proper 
choice  of  the  transfer  function.  Lemma  4  provides  a  methodology  to  design  P  and  Q  such 
that  these  cancellations  are  prevented.  We  will  use  the  following  result  from  [2]  to  prove  the 
lemma. 
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Theorem  5.  Let  G,  H  be  proper  rational  transfer  function  matrices  and  suppose  that  det[/+ 
G{co)h  (oo)]  /=  o.  Then  all  the  poles  of  the  transfer  function  matrix 


W  = 


(/  +  HG)-1 
G(I  +  HG r1 


-H(/  +  GH)-1 
(/  +  GH)"1 


are  stable  if  and  only  if 

•  GH  has  no  unstable  pole-zero  cancellation,  and 

•  all  the  poles  of  (/  +  GH)-1  are  stable. 

Proof.  See  [2]  Theorem  5.  □ 

Lemma  4.  Loss  of  controllability/observability  can  be  prevented  from  each  link  in  Q  if  pole- 
zero  cancellations  are  avoided  in  PG  and  QS.  Here,  S  is  the  closed  loop  transfer  function 
that  Q  observes  and  controls. 

Proof.  The  transfer  function  that  Q  observes  for  the  closed  loop  system  formed  by  adding 
P  in  feedback  with  G  is  given  by  S  =  (/  -  PG)-1.  Using  the  Theorem  5,  since  there  is 
no  pole  zero  cancellations  in  PG,  the  closed  loop  system  is  stable  if  and  only  if  S  is  stable. 
Which  says  that  this  transfer  function  has  all  the  poles  of  the  system.  Hence  Q  observes 
and  controls  all  the  poles  of  the  system  after  adding  all  the  links  in  P  if  there  is  no  pole  zero 
cancellation  in  PG. 

Similarly,  when  adding  the  links  in  Q  if  there  is  no  pole  zero  cancellation  in  QS  the 
controllability  and  observability  properties  are  maintained.  That  is,  if  a  mode  is  observ¬ 
able/controllable  from  a  link  Q/j  for  some  choices  of  the  other  links  in  the  controller,  then 
choosing  the  links  in  this  fashion  will  keep  the  mode  observable/controllable  from  Q/j.  □ 

Now  we  will  present  the  proof  of  Theorem  1: 

Proof.  For  every  controller  link  that  is  added,  either  in  P  or  Q,  it  stabilizes  all  the  modes  that 
are  controllable  and  observable.  Also,  by  Lemma  2,  a  newly  added  link  cannot  destabilize  a 
mode  that  was  already  stable.  Hence  with  every  new  link  added  to  the  system,  the  number 
of  unstable  modes  either  decreases  or  stays  the  same. 

If  every  unstable  mode  in  the  system  is  controllable  and  observable  by  some  link,  it  gets 
stabilized.  If  the  plant  has  an  unstable  mode  that  is  uncontrollable  and  unobservable  from 
every  link  in  P  and  Q,  then  by  Lemma  3,  there  is  no  controller  with  the  given  pattern  that 
stabilizes  the  plant.  Also,  since  the  added  links  satisfy  the  conditions  in  Lemma  4,  if  a  mode 
is  controllable  or  observable  from  a  link  for  any  choices  previously  added  links,  then  it  is 
controllable  and  observable.  □ 

5  Conclusions 

Our  work  demonstrates  that  Dynamical  Structure  Functions  can  be  used  to  map  the 
interference  relationships  of  links  in  a  wireless  network.  This  method  uses  a  model  we 
have  developed  for  the  IEEE  802.11  MAC  that  uses  differential  equations  to  capture  its 
dynamics 
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and  equilibrium  behavior.  An  advantage  of  this  method  is  that  it  can  be  used  to  detect 
transitory  interference  from  devices  that  are  not  a  part  of  the  managed  network. 

Two  important  aspects  of  our  reconstruction  algorithm  are  that  the  network  must  reach 
equilibrium  for  each  perturbation  test,  and  that  the  tests  must  be  coordinated  by  a 
centralized  controller.  As  part  of  our  future  work  we  will  use  experimental  validation  to 
explore  how  quickly  equilibrium  can  be  reached  and  the  overhead  required  to  conduct  the 
experiments.  We  also  want  to  test  the  impact  of  the  tests  on  live  traffic,  to  ensure  they  are 
non-invasive.  We  are  also  investigating  how  to  distribute  the  reconstruction  algorithm. 
Finally,  we  are  interested  in  determining  how  we  can  use  DSF  to  build  an  optimal  rate 
controller  for  wireless  networks. 

We  also  considered  a  number  of  theoretical  results,  namely  the  necessary  and  sufficient 
informativity  conditions  for  network  reconstruction,  a  theory  of  vulnerability  for  open-  and 
closed-loop  systems,  and  a  heuristic  for  designing  decentralized  controllers  to  satisfy  an 
arbitrary  signal  structure  constraint.  Each  of  these  results  suggest  new  questions  about  the 
nature  of  network  structure  on  a  networks  performance  and  robustness.  Future  work  will 
explore  these  results  in  more  detail,  extending  them  to  the  nonlinear  setting  and  introducing 
them  to  a  variety  of  applications. 
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7  List  of  Acronyms 


AIC 

BIC 

DOS 

DSI 

IP 

MAC 

NS 

RF 

TCP 

TF 

UDP 


Akaike  Information  Criterion 
Bayesian  Information  Criterion 
Denial  of  Service 
Dynamical  Structure  Function 
Internet  Protocol 
Media  Access  Control 
Network  Simulation 
Radio  Frequency 
Transmission  Control  Protocol 
Transitory  Interference 
User  Data  Protocol 
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